In-Depth

Patching Windows Security

Get the scoop on Microsoft's series of releases and updates that will tighten security on both the latest Windows operating systems as well as most other Microsoft products.

• By Danielle Ruest and Nelson Ruest
• 07/01/2004

For This Solution: Windows Server 2003, Windows Server 2003 Service Pack 1, Windows XP Home and Professional, Windows XP Service Pack 2, Windows Update Services (Software Update Services 2.0), Windows Update Web site, Windows Installer 3.0

Editor's Note: This article is based on prerelease versions of all of the components discussed here. It is possible that the behavior of final released versions may differ from the descriptions included herein.

When Scott Charney took the chief security strategist position at Microsoft, his first job was talking to enterprise users. "Patch management was their biggest concern," Charney said. "I started looking at it, and I realized patch management is broken. I went to the next step, which is to figure out why it's broken. It's not enough to say it's broken; you need to understand it." According to Charney, Microsoft uses eight different technologies for patching its products.

It surprised no one when in his keynote address at TechEd 2003, Microsoft's premier conferences for system administrators and developers, Charney said, "We need to do better at securing our products."

A bit more than a year later, Microsoft is on the verge of rolling out a series of tools that will go a long way toward fixing its "broken" patch management tools. These include:

• Service Pack 2 (SP2) for Windows XP.
• Service Pack 1 (SP1) for Windows Server 2003.
• Windows Update Services, a new patch management and update technology. (This is actually Software Update Services 2.0.)
• A new edition of the Windows Update Web site.
• Windows Installer 3.0, a core tool that will help make it all work together.

In Microsoft-speak, "service packs" are no-cost, essential collections of bug fixes and improvements to the basic components of the operating system. However, for both new service packs, Microsoft's focus this time is on security almost exclusively.

It will have taken Microsoft more than 18 months to prepare the first service pack for Windows Server 2003—so much for the fence-sitters who wait for a first service pack before deploying the technology. For conservative system administrators, the wait has been interminable.

Meanwhile, other system administrators have deployed Windows Server 2003 without waiting for the service pack because Windows Server 2003 is Microsoft's most secure operating system to date. Whether or not you've deployed Windows Server 2003, the wait will have been worth it.

Windows Server 2003 SP1 includes a new tool called the Security Configuration Wizard, or SCW (see Figure 1). This wizard provides a comprehensive overview of the status of a current system and helps you determine how to lock down your servers further. Though this isn't the first tool to help lock down systems—Microsoft has provided the Security Configuration and Analysis or secedit tool since Windows 2000—it does provide unique capabilities. The SCW can be used to capture security settings from a standard system, edit an exiting policy, apply captured settings to a local or remote computer, or rollback security settings to their original settings.

Capture Security Settings
When you use SCW to capture security settings for a domain controller, it performs five steps:

1. You walk through the startup settings for services on the server. The settings are listed according to the role the server plays in your network. These roles include most every potential server role included in the entire Windows Server System stack, even the subroles you find in individual Server System products.
   
   For example, it lists all of the server roles Systems Management Server (SMS) servers can play in a network, including Client Access Point, Management Point, and so on. This is true for each of the Windows Server System products. But the most impressive aspect of the service lockdown is the description of each service (see Figure 2). For once, Microsoft finally provides complete descriptions of the dependencies, purpose, and functionality for each started and nonstarted service. In addition, services are listed for server and client roles, as well as for administrative options, non-Microsoft services, and unspecified services or services that are not on this machine, but may be found on other machines (see Figure 3). The SCW helps you set the state for each service and provides a summary of all changes at the end of this step (see Figure 4).
2. You focus on network security. Here you review and secure open inbound TCP/IP ports, and, once again, receive valuable information as to which ports are required by which active service. Once you've reviewed and secured the ports, the wizard provides a summary of all changes.
3. You configure registry settings—not all settings, but critical settings related to security. This includes server message block (SMB) signing for communications encryption, lightweight directory access protocol (LDAP) signing for access to the directory, outbound authentication with domain accounts, and inbound authentication. Once again, the wizard gives you a summary once your configurations are complete.
4. You configure settings that relate to the audit policy for this server role. Here you turn off auditing altogether, audit only successful operations, or audit both success and failures. When you're finished, the wizard provides a summary of modifications.
5. You deal with saving, naming, and providing a description for the policy you just created. Once this is done, you can choose to apply the policy or save it for later use.

There is no doubt that this tool will be a godsend for all system administrators no matter their level of sophistication in Windows technologies. The security reports that this tool provides alone will be highly useful for documenting system configurations. Administrators everywhere will finally be able to take the proper measures when deciding if and when a service can be completely shut down on a server. In addition, the fact the SCW includes a command-line equivalent, scwcmd, will facilitate the application of the policies it creates to multiple servers at the same time. This also means that you will be able to apply these policies during system construction, ensuring that your systems are secure as soon as they are built.

But this is not the only security feature included in the service pack. One minor, but important, addition is the warning that appears when you use drag and drop to move objects in Active Directory consoles (see Figure 5). The absence of this warning has been a significant problem since the release of Windows Server 2003. Because no warning or confirmation dialog box appears when administrators move objects with the left mouse button (using the right mouse button to drag and drop at least displays a "move here" pop up message), many admins find they accidentally mess up both machines and users because they move them to the wrong organizational unit (OU), thus changing their configuration because of the Group Policy Objects (GPOs) included in the destination OU. Once again, we stress that you'll greatly appreciate this message. Our suggestion: Don't turn it off!

Get Secure With Windows XP SP2
Like SP1 for Windows Server, SP2 for Windows XP has a huge focus on security. In fact, the most important addition this service pack brings to XP is the Security Center console (see Figure 6). This console can provide key information about the configuration of your computer, and focuses on three key areas:

• Setting up and configuring the Windows Firewall, a new tool that is a major upgrade to the Internet Connection Firewall that was found in previous versions of Windows XP.
• Providing information on the status of your antivirus definition files and instructions on what to do about it if your definitions are not up to date.
• Setting up and configuring automatic updates. In fact, this element is considered so important that after the installation of the service pack and a system reboot, you must choose how to configure automatic updates before you can log into your computer (see Figure 7).

The Security Center can be accessed in a number of ways. It can be found in the Administration Tools as well as within the Control Panel. The Security Center service is a background service that runs on all upgraded PCs. For systems that are based on the Home edition or systems that are part of a workgroup, Microsoft deems this service so important that it cannot be turned off. However, for systems that are running the Professional edition and are part of a corporate network and thus an Active Directory (AD) domain, it can be controlled through Group Policy where you can turn it on or off as you need to. Obviously, Microsoft believes that corporate administrators can determine the need for this service given that PCs are protected by corporate firewalls and corporate policies.

According to Windows security guru Jason Fossen, Windows track manager at the Systems Administration and Network Security (SANS) Institute, the nicest thing about this service pack is the new Windows Firewall.

"For once, Microsoft is providing us with a fully functional firewall client that can be controlled in a number of different ways," Fossen says. That's because the firewall includes a simple but powerful interface as well as a comprehensive API that lets you control its behavior programmatically (see Figure 8). The firewall can also be controlled through GPOs or through the net shell command-line tool (netsh). "This means that administrators will be able to write scripts or assign GPOs that will control firewall behavior in their networks, especially in support of older applications that don't know or understand how to work with the new firewall," Fossen says.

According to Fossen, one neat aspect of this tool is the new "panic mode" it supports. Upon detecting untoward behavior in the network—behavior that resembles a viral or worm attack—the firewall blocks any attempts automatically to connect to the client from the network. This protects PCs automatically from attack. To turn firewall connections back on, you'll have to reset the firewall configuration manually if it is on a home PC. In a network, it will be reset automatically the next time the PC connects to domain controllers to refresh Group Policy—something that normally occurs every 90 minutes—because outgoing connections are still available. Fossen plans to update his six-day Windows security courseware to include new features from both service packs when they are closer to official release.

GPO Settings Grow
The inclusion of so many new security features in both service packs will also have an impact on the number of GPO settings that are included in Windows Server. In the original release, Windows Server boasted 890 GPO settings right out of the box. With both service packs installed, this number has now grown to almost 1,000 settings. These new settings include support for many new aspects of security, including secure connections for Terminal Services based on the Secure Sockets Layer (SSL) standard, new settings to control peer-to-peer networking in Windows, and new settings to control wireless networking. For Fossen, the last is a godsend for system administrators. As he puts it, "With these new settings, you won't have to configure wireless networks by going from PC to PC to set up protected connectivity; you'll be able to do it all from the comfort of your desk."

As Fossen says, "If you haven't started working with Group Policy yet, now's the time to get on the bandwagon because this tool is becoming more and more useful to system administrators everywhere." He's right. One of the best things to come out of Windows 2000 was Group Policy. With Windows Server 2003, Microsoft has managed to take GPOs to the next level.

Windows Server 2003 SP1 and Windows XP SP2 go a long way toward protecting your PCs and servers, but as we all know, there will inevitably be more flaws found in Microsoft operating systems and other tools. That's one of Microsoft's main problems: In trying to be everything software for everyone, the company has flooded the market with all sorts of tools in use by millions of users. This is one reason why Microsoft's security flaws are so often in the news—Microsoft products are widely used and cover a gamut of services.

In addition to the service packs, Microsoft is beefing up two core tools that will help system administrators manage and deploy patches for all of the Microsoft tools they shepherd. That's right. The major flaw with Software Update Services (SUS) today is that it only helps you manage operating system-related patches. Version 2.0, which has been rebaptised Windows Update Services (WUS) will continue to support the update and application of patches to operating systems, but will include applications as well. In its first iteration, WUS will help you manage various versions of Windows, Office, Exchange, SQL Server, and the Microsoft SQL Server Desktop Edition (MSDE). As time goes by, support for other Microsoft products will be added to WUS without having to change versions of the product. They will simply be included in your deployed WUS interface as Microsoft makes them available. It will be up to you to determine if they are required in your network or not. In fact, you'll be able to subscribe to these new updates as they come online.

In addition to the service packs, Microsoft is beefing up two core tools that will help system administrators manage and deploy patches for all of the Microsoft tools they shepherd. That's right. The major flaw with Software Update Services (SUS) today is that it only helps you manage operating system-related patches. Version 2.0, which has been rebaptised Windows Update Services (WUS) will continue to support the update and application of patches to operating systems, but will include applications as well. In its first iteration, WUS will help you manage various versions of Windows, Office, Exchange, SQL Server, and the Microsoft SQL Server Desktop Edition (MSDE). As time goes by, support for other Microsoft products will be added to WUS without having to change versions of the product. They will simply be included in your deployed WUS interface as Microsoft makes them available. It will be up to you to determine if they are required in your network or not. In fact, you'll be able to subscribe to these new updates as they come online.

In addition, WUS will support the deployment of noncritical patches and upgrades, as well as driver updates—something that has been sorely lacking in the current edition of SUS. However, this is not the only new feature included in WUS. It will also scale more easily and support more complex distribution architectures, making it a much more solid enterprise-capable application. Also, to make all of this work, Microsoft is revamping the Windows Update site to include patches and updates for all of its products. Users who want to update their systems by using the Web site will be pleased to see it identify all the Microsoft products installed on their systems and offer applicable updates for each and every one of them.

Manage Patches With WIS 3.0
The final component of this integrated security upgrade is a little-known but highly useful service, the Windows Installer Service (WIS). In its third iteration, Windows Installer will finally learn how to manage patches properly. Anyone who has tried to update software such as Microsoft Office has immediately become aware of the major limitation of Windows Installer version 2.0. That is, to update a product with a patch, WIS 2.0 needs access to the original installation files. Too many Microsoft clients don't update their copies of Office, Visio, or Project because they can't seem to find the exact disk or network source they used to deploy these products on their systems. No source files, no update.

This will be a thing of the past because WIS 3.0 is all about servicing. Because this service installs a local installation database when a product is first deployed to a system, WIS 3.0 will use it as the source required for the application of the patch. This alone will go a long way toward protecting Microsoft customers from malicious code.

All of these technologies won't be available until after this story is published. As this was being written, a Microsoft spokesperson said Windows Server 2003 SP1 is expected to ship the "the second half of 2004" while Windows XP SP2 is expected to ship "this summer."

WIS 3.0 will be included in the service packs. WUS and the new Windows Update Web site are due later this year. Our recommendation is to begin working with these tools as soon as you can get them. Download the prerelease versions and try them in your lab. That way, you'll be ready to deploy them and protect your systems as soon as they are available officially. However, remember the new software caveat: Test, test, test to make sure all your systems and legacy applications will work with these new tools.

There is no doubt that users of Microsoft products will thank Scott Charney for declaring that Microsoft's patch system was broken. In a little more than one year, he's taken something that was completely broken and put it on the right path. Any suggestions on what he should fix next?